"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We'd love to hear about it! Click here to go to the product suggestion community
I have opened case #7112044 asking about this last Thursday but nobody has responded yet... We do not use these IP ranges nor do we have Windows XP in our environment.
I have seen this too. We had a new computer show up called 'Test-PC' that we could not figure out where it came from. We ended up deleting it and it hasn't returned. Perhaps it is Sophos doing something on their end?
Are you, or any of the admins on your network, running sophos AD sync. That is the only way that I would think this would be possible.
In reply to Garrett:
Yes, we do but these are not domain joined systems.
In reply to gdriggs:
Purely curious, but have you tried to ping that IP to see if anything responds?
There's no route to those hosts. We use some networks in 10.0.0.0/8 but neither of the ones that these PCs are alleged to be in.
I suppose the obvious things to check/consider initially would be:
1. In the Central Audit logs (cloud.sophos.com/.../audit), no one other than expected admins have logged in to obtain the URLs of your installers?
2. None of your end users have taken the SophosInstall.exe home or shared it with friends?
3. The URLs of your installers (e.g. dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com/.../SophosInstall.exe) have been published/leaked/shared?